V.1.5.0 operator Ssl hadnshake issue

EugeneK · November 1, 2020, 10:55am

Hi,

I am using v1.5.0 kubernetes operator for mongo, cluster version v1.14.1, mongo - image: percona/percona-server-mongodb:3.6

And I have issue with a lot of requests from operator to mongo pods:

2020-11-01T16:15:37.169+0000 I NETWORK [conn5119] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 10.40.0.3:40190 (connection id: 5119)

2020-11-01T16:15:37.169+0000 I NETWORK [conn5119] end connection 10.40.0.3:40190 (20 connections now open)

2020-11-01T16:15:37.172+0000 E NETWORK [conn5120] no SSL certificate provided by peer; connection rejected

2020-11-01T16:15:37.172+0000 I NETWORK [conn5120] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 10.40.0.3:40196 (connection id: 5120)

2020-11-01T16:15:37.172+0000 I NETWORK [conn5120] end connection 10.40.0.3:40196 (19 connections now open)

It is with default configuration in cr.yaml (no SSL options in secrets section), operator has created ssl secrets:

mongo-cluster-ssl kubernetes.io/tls 3 13m

mongo-cluster-ssl-internal kubernetes.io/tls 3 13m

I tried to disable SSL at all, by changing option allowUnsafeConfigurations: true and removing ssl secrets, apply cr and restart operator, after that I get another errors in mongo log:

2020-11-01T16:22:51.830+0000 I NETWORK [listener] connection accepted from 10.40.0.3:53330 #2454 (17 connections now open)

2020-11-01T16:22:51.831+0000 I NETWORK [conn2454] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 10.40.0.3:53330 (connection id: 2454)

2020-11-01T16:22:51.831+0000 I NETWORK [conn2454] end connection 10.40.0.3:53330 (16 connections now open)

2020-11-01T16:22:52.162+0000 I NETWORK [listener] connection accepted from 10.40.0.3:53342 #2455 (17 connections now open)

2020-11-01T16:22:52.163+0000 I NETWORK [conn2455] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 10.40.0.3:53342 (connection id: 2455)

So question is how to make operator work coreccly with ssl certs, in first case to avoid SSLhandshake issues, or disable ssl at all (2nd case )?

Sergey_Pronin · November 2, 2020, 6:29am

Hello @EugeneK ,

thanks for submitting this. We are aware of this issue and it is going to be fixed in the next release of the operator (v 1.6), which is planned to go out by the end of 2020.

The code is already there and merged:

Jira issue: https://jira.percona.com/browse/K8SPSMDB-268

PR: https://github.com/percona/percona-server-mongodb-operator/pull/434

Please let me know if it helps.

Topic		Replies	Views
SSL peer certificate validation failed Percona Operator for MongoDB	5	1961	July 28, 2021
How to enable TLS on MongoDB operator without requiring client certificates Percona Operator for MongoDB	2	1489	November 1, 2022
Mongo doesn't work Percona Operator for MongoDB	2	438	February 15, 2024
Percona MonogDB Cluster Fails when enabling TLS Percona Operator for MongoDB	3	183	June 5, 2024
[solved] Expose mongos with TLS Percona Operator for MongoDB psmdb-operator	1	1379	May 16, 2023

V.1.5.0 operator Ssl hadnshake issue

Related topics